Socrates understands that the ability to protect our customer’s data, ensure proper security procedures and mitigate potential risk is essential to building trust and delivering a high level of service. We use a multi-layered approach to protect key assets by constantly monitoring and improving our applications, systems, and processes.
The following overview describes the main focus areas of the Socrates Cloud offering:
- Information Security Program – standards, people, policies
- Protecting Customer Data – encryption, network, access
- Security by Design – application, testing, infrastructure
- Event Management – visibility, response, recovery
Information Security Program
Executive Management has issued, approved, and supported a set of policies, and procedures, aligned with ISO 27001 to ensure security across the entire business. By adopting the ISO security standard Socrates confirms that we are aligned with the most widely accepted international code to assure customers of our commitment to managing their data securely.
Compliance with Socrates’ Information Security Policies applies to all members of the Socrates workforce, regular employees and independent contractors. All personnel are required to understand and follow internal policies and standards. Before gaining initial access to systems, everyone must agree to confidentiality terms, pass a background screening, and attend security awareness training. This training covers privacy and security topics including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.
All personnel are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow Socrates’ Information Security Policies at least annually. Some workers, such as engineers, operators and support personnel who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Everyone is required to report security and privacy issues to appropriate internal teams.
Socrates maintains a set of policies, standards, procedures and guidelines that provide the Socrates workforce with information for operating within Socrates’ Information Security Policy. Our security documents help ensure that Socrates customers can rely on our workers to behave ethically and for our service to operate securely. Policies are updated periodically and reviewed annually.
Protecting customer data
Data in transit and at Rest
Socrates transmits data over public networks using strong encryption. This includes data transmitted between Socrates clients and the Socrates service. Socrates supports the latest recommended secure measures to encrypt all traffic in transit, including use of TLS 1.2 protocols. At rest optional AES256 encryption, and SHA2 signatures are available as supported by the clients.
Socrates divides its instances into separate networks (VPC’s – virtual private clouds) which are in effect separate network segments, to better protect customer data. Instances supporting testing and development activities are hosted in a separate subnet from those supporting Socrates’ production instances. Customer data submitted into the Socrates services is only permitted to exist in a Socrates’ tightly controlled network.
Network access to Socrates’ production environment from the internet is highly restricted. Staff must use VPN and multi-factor authentication to access the infrastructure. Only those network protocols essential for delivery of Socrates’ service to its customers are open at the network ingress and egress perimeter.
The Socrates service is hosted in AWS data centers. AWS offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Socrates service and Shared Responsibility Model.
ASW data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and building ingress points by professional security staff utilizing video surveillance, sate of the are intrusion detection systems, and other electronic means. Authorized stat must pass two-factor authentication to access data center floors. All physical access by employees is logged and routinely audited.
Socrates’ platform is designed in a three-tier architecture represented through user interface, business logic and repository layers. Each layer is constructed in isolation providing specific platform services protected by a multi-layered security approach of confidentiality, integrity and availability.
Customers gain access to the Socrates’ cloud platform through supported channels via web browser and 3rd party communication integration such as SMS, email, and collaboration platforms.
Socrates has independent regular application-level and infrastructure-level penetration tests. An executive results summary of these tests is shared with Socrates management. Socrates reviews and prioritizes the reported findings and tracks them to resolution.
Socrates performs the following scheduled tests:
Vulnerability Testing—We perform a vulnerability scan for every software release or at least quarterly
Internal Penetration Testing—The internal security team tests every new software release using open-source and commercial testing tools
Penetration Testing—A 3rd party group completes annual testing that includes automated, manual and code review activates.
New instances deployed into production are hardened by disabling unneeded and potentially insecure services, removing default passwords and applying Socrates’ custom configuration settings to each server before use.
Monitoring, logging, alerting
Socrates monitors instances, network, and elevated access to retain and analyze a comprehensive view of the security state of the production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in Socrates’ production network are logged. Socrates collects and stores production logs for analysis. Logs are protected from modification and retained. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.
Socrates has established policies and procedures for responding to potential security incidents. All incidents are managed by Socrates’ security and business leadership team. Socrates defines the types of events that must be managed via the incident response process, and incidents are classified by severity. Incident response procedures are tested and updated at least annually.
Disaster recovery and business continuity
Socrates utilizes services provided by its hosting provider to protect its production operation across separate physical locations. Production instances are replicated among these discrete operating environments, to protect the availability of Socrates’ service in the event of a location-specific catastrophic event.
Socrates also retains a full backup copy of production data in a separate location from the primary operating environment. Socrates tests backups at least quarterly to ensure they can be correctly restored.
For more information, visit www.socrates.ai, [email protected], or +1.888.912.5396